Network ACL with unrestricted access to SSH This product is not supported for your selected
Datadog site . (
).
Id: terraform-aws-network-acl-with-unrestricted-access-to-ssh
Provider: AWS
Platform: Terraform
Severity: Medium
Category: Networking and Firewall
Learn More Description Allowing SSH (TCP port 22) from all IP addresses in an AWS Network ACL by setting cidr_block = "0.0.0.0/0" exposes your resources to the public internet, making them vulnerable to brute force attacks and unauthorized access. This misconfiguration can lead to potential data breaches or system compromise if attackers exploit this open access. To mitigate this risk, restrict the cidr_block attribute to trusted IP ranges only, such as cidr_block = "10.3.0.0/18".
Compliant Code Examples provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_network_acl" "negative1" {
vpc_id = aws_vpc . main . id
egress = [
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}
]
ingress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 22
to_port = 22
}
]
tags = {
Name = "main"
}
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_network_acl" "negative2" {
vpc_id = aws_vpc . main . id
tags = {
Name = "main"
}
}
resource "aws_network_acl_rule" "negative2" {
network_acl_id = aws_network_acl . positive1 . id
rule_number = 100
egress = false
protocol = "tcp"
rule_action = "allow"
from_port = 22
to_port = 22
cidr_block = "10.3.0.0/18"
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.52.0"
}
}
}
resource "aws_network_acl" "negative3" {
vpc_id = aws_vpc . main . id
egress {
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}
ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 22
to_port = 22
}
tags = {
Name = "main"
}
}
Non-Compliant Code Examples provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_network_acl" "positive1" {
vpc_id = aws_vpc . main . id
egress = [
{
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}
]
ingress = [
{
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 22
to_port = 22
}
]
tags = {
Name = "main"
}
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}
resource "aws_network_acl" "positive2" {
vpc_id = aws_vpc . main . id
tags = {
Name = "main"
}
}
resource "aws_network_acl_rule" "postive2" {
network_acl_id = aws_network_acl . positive2 . id
rule_number = 100
egress = false
protocol = "tcp"
rule_action = "allow"
from_port = 22
to_port = 22
cidr_block = "0.0.0.0/0"
}
provider "aws" {
region = "us-east-1"
}
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "<= 3.52.0"
}
}
}
resource "aws_network_acl" "positive3" {
vpc_id = aws_vpc . main . id
egress {
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}
ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 22
to_port = 22
}
tags = {
Name = "main"
}
}
